On the basis of research from MITRE Engenuity’s Center for Threat Informed Defense, AttackIQ is proud to announce a new automated adversary emulation plan within the Security Optimization Platform to emulate menuPass, a threat group of likely Chinese origin and which the U.S. government has alleged is tied the Ministry of State Security of the People’s Republic of China. This emulation will be incorporated within the platform over the next week. Join us for a special demo on March 18th, 2021, featuring the menuPass emulation plan. Register here.
Who is menuPass and why is this emulation important for you?
Active since at least 2009, menuPass has targeted the healthcare, defense, aerospace, and government sectors, as well as managed IT service providers, manufacturing and mining companies, and a university. In 2018, the U.S. Department of Justice indicated Chinese nationals Zhu Hua and Zhang Shilong of menuPass for “conspiracy to commit computer intrusion, conspiracy to commit wire fraud, and aggravated identity theft.” Other names for the group include APT10, Stone Panda, Red Apollo, CVNX, and HOGFISH, among others. Many of menuPass’s targets are in the United States and Japan, but the group has been linked to intrusions in at least 12 other countries.
What motives menuPass?
As the Center for Threat-Informed Defense wrote in the description of this emulation plan, the group is thought to be motivated by objectives aligned to China’s national interests, including economic espionage for purposes of bolstering China’s industrial power. Their targeting is consistent with China’s strategic objectives as stated in the Five-Year Plan and the Made in China 2025 Plan.4
How is the emulation plan structured?
The Center for Threat-Informed Defense’s Intelligence Summary of menuPass’s operations looks at 32 publicly available sources to describe the group, their motivations, objectives, and observed target industries. It describes the typical menuPass Operational Flow, to include publicly attributed Tactics, Techniques, and Procedures (TTPs) mapped to MITRE ATT&CK.
The Center for Threat-Informed Defense has linked menuPass’s techniques together into a logical flow of the major steps that often occur across menuPass operations. At a high-level, the publicly available reporting about the group’s activities can be organized into two categories: First, reporting specific to menuPass activities directed against managed security provider (MSP) subscriber networks and second, activity generally initiated by spearphishing and which uses a command-and-control framework to achieve the group’s objectives.
The Center has therefore organized the menuPass emulation plan into two scenarios.
- Scenario 1: Designed to emulate activity attributed to menuPass that is specific to the group’s efforts targeting MSP subscriber networks. The intent of this scenario is to assess an organization’s ability to protect, detect, and defend against execution, tool ingress, discovery, credential access, lateral movement, persistence, collection, and exfiltration.
- Scenario 2: Designed to emulate menuPass’s activities using a command-and-control framework. This scenario is intended to assess an organization’s ability to protect, detect, and defend against execution, discovery, privilege escalation, credential access, lateral movement, exfiltration, command and control, and persistence using a command-and-control framework.
The Center’s menuPass emulation is a human-readable, step-by-step, command-by-command implementation of menuPass’s tactics, techniques, and procedures. Structurally, the plan is organized into these two scenarios as defined in the Operations Flow. The human-readable plan is accompanied by a machine-readable plan implemented in YAML. The YAML description includes all steps, commands, and syntax for Scenario 1. The YAML template also ensures that each step within the YAML is directly coupled with its equivalent in the human-readable version.
The emulation will be included in the AttackIQ Security Optimization Plan within two weeks. Register for the March 18th demonstration of the menuPass emulation here.